staticrypt icon indicating copy to clipboard operation
staticrypt copied to clipboard
verified publisher icon robinmoisson

Webcrypto

Open tarpdalton opened this issue 7 years ago • 7 comments

this removes the dependency on crypto.js and uses the webcrypto API. I haven't updated the CLI with the new logic, but I wanted to open this PR with what I had so far. #20

tarpdalton avatar Jun 21 '18 18:06 tarpdalton

It looks like you can't use a the web crypto API in a node module. So I don't think we can remove the crypto.js dependency from the CLI.

tarpdalton avatar Jun 22 '18 15:06 tarpdalton

@tarpdalton can't you continue to use crypto-js in the node module, but just change the code in the template HTML file to use the web crypto API (and fallback to asynchronously loading crypto-js if needed?)

epicfaace avatar Jul 04 '20 21:07 epicfaace

@epicfaace yeah we could do that. We would just have to make sure the something encrypted by crypto-js can be decrypted by webcrypto correctly

tarpdalton avatar Jul 15 '20 16:07 tarpdalton

I guess this can be revisited now since Node.js 15 has a Webcrypto module now. Current stable Node.js version is 16. https://nodejs.org/api/webcrypto.html

Also there is this package: https://www.npmjs.com/package/node-webcrypto-ossl

DanielRuf avatar Jul 09 '21 13:07 DanielRuf

thats cool. yeah we should use the webcrypto api in the node, and then crypto-js can be fully removed

tarpdalton avatar Jul 09 '21 21:07 tarpdalton

i got the cli working with node webcrypto api. crypto-js is removed. I don't really use this lib so I can't test it out, but it worked for some simple things. Someone should test it out before it merges

tarpdalton avatar Jul 10 '21 01:07 tarpdalton

Hey @tarpdalton , thanks a lot for this big PR and my sincere apologies for taking so long to answer (3.5 years since you first opened it :roll_eyes: ). It would be great to remove the crypto-js dependency.

I have two concerns:

  • I need to get more into it but the code is more complex, it feels a bit like rolling out my own crypto and I'm worried of hidden footguns there
  • if I'm not mistaken the WebCrypto api is only available in secure contexts, so the decryption would not work if the page is served over HTTP. This is pretty annoying as I think it might be a legitimate use case, maybe there can be the option of using either crypto-js or WebCrypto but it brings complexity both to the code and the end user. So not sure what to do about it

I'll link to your fork in the readme in the meantime if some people want to use that version already.

robinmoisson avatar Feb 09 '22 13:02 robinmoisson

We now finally rely on WebCrypto in StatiCrypt! The code was merged in #164 , it's pretty noisy due to wanting to be as compatible as possible with 2.x custom templates, but it'll get much cleaner in 3.x (the WIP branch is already here).

Thank you very much for opening and updating this PR over the years, it's been a good sanity check for me to read your approach here and useful for the final implementation. As a (very small) token of gratitude, I added your name in the "Thank you! :pray:" README section. Thanks!

robinmoisson avatar Mar 29 '23 15:03 robinmoisson